Apparatus and method of detecting network attack situation

ABSTRACT

Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.

This application claims the priority of Korean Patent Application No.10-2004-0101086, filed on Dec. 3, 2004, in the Korean IntellectualProperty Office, the disclosure of which is incorporated herein in itsentirety by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a network security technology, and moreparticularly, to an apparatus and method of detecting a network attacksituation in real time by processing alarms indicating intrusiondetection with high efficiency.

2. Description of the Related Art

Network attack situation detection refers to analyzing interrelationamong a plurality of alarms indicating intrusion detection, which areraised at a plurality of locations in a network, and presuming an attacksituation based on the analysis. For example, if a plurality of alarmsare raised about a host, it can be presumed that the host is beingattacked. Since the network attack situation detection reflects acurrent network attack situation, real-time analysis is particularlyimportant.

However, there are limitations on analyzing alarms in a network in realtime through a conventional database inquiry. For example, when alarm“A” is raised, if the conventional database inquiry is made to determinethe number of times that the same alarm has been repeatedly raisedduring a predetermined interval, the alarm “A” must be compared with agreat number of other alarms. Also, if such comparisons are made forevery alarm, the performance of an apparatus for detecting networkattack situations will be severely undermined.

In particular, since network size is increasing and a tremendous numberof alarms are being raised due to a high false-positive rate, it isrequired for the apparatus to process a large amount of data to analyzealarms indicating intrusion detection.

SUMMARY OF THE INVENTION

The present invention provides an apparatus and method of detectingnetwork attack situations classified into ten groups in real time basedon a great number of alarms indicating intrusion detection.

According to an aspect of the present invention, there is provided anapparatus for detecting a network attack situation including: an alarmreceiver receiving a plurality of alarms raised in a network to whichthe alarm receiver is connected, converting the alarms intopredetermined alarm data, and outputting the alarm data; an alarmprocessor analyzing an attack situation in the network based onattributes of the alarm data and a number of times that the alarm datais generated; a memory storing basic data needed to analyze the state ofthe network and providing the basic data to the alarm processor; and aninterface transmitting the result of the analysis by the alarm processorto an external device, receiving a predetermined critical value from theexternal device, which is a basis for determining the occurrence of theattack situation, and outputting the critical value to the alarmprocessor such that the alarm processor can store the critical value inthe memory.

According to another aspect of the present invention, there is provideda method of detecting a network attack situation including: collecting aplurality of alarms raised in a network; extracting attributes of thealarms and generating at least one first data characterized by acombination of the attributes; and determining an attack situation inthe network based on whether a number of times that the first data isgenerated exceeds a predetermined critical value.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features and advantages of the present inventionwill become more apparent by describing in detail exemplary embodimentsthereof with reference to the attached drawings in which:

FIG. 1 is a table showing ten groups of network attack situationsaccording to an embodiment of the present invention;

FIG. 2 is a block diagram of an apparatus for detecting a network attacksituation according to an embodiment of the present invention;

FIG. 3 is a detailed block diagram of an alarm processor illustrated inFIG. 2;

FIG. 4 illustrates a hash structure of a hash memory;

FIG. 5 illustrates the structure of a hash entry counter;

FIG. 6 illustrates a pseudocode showing a counting algorithm; and

FIG. 7 is a flowchart illustrating a method of detecting a networkattack situation according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention will now be described more fully with reference tothe accompanying drawings, in which exemplary embodiments of theinvention are shown. The invention may, however, be embodied in manydifferent forms and should not be construed as being limited to theembodiments set forth therein; rather, these embodiments are provided sothat this disclosure will be thorough and complete, and will fullyconvey the concept of the invention to those skilled in the art.

FIG. 1 is a table showing ten groups of network attack situationsaccording to an embodiment of the present invention. Detecting a networkattack situation based on an analysis of interrelation among alarmsindicating intrusion detection involves measuring the number of timesthat alarms having identical attributes are raised during apredetermined interval and presuming an attack situation in a network.FIG. 1 illustrates ten groups of attack situations. In other words,there are ten groups of attack situations divided according to fourattributes such as an attack type 120, an attacker IP address 130, atarget IP address 140 and a service type 150, and each group of attacksituations have identical attributes.

Such groups are yardsticks for measuring the number of times thatattacks having identical attributes are staged on a network. Forexample, if an attacker repeatedly attempts to make the same attack on ahost, such attempts will be detected as attack situation 1-1 asillustrated in FIG. 1. A description of each group of attack situationsis made under description 160 of FIG. 1 and thus will be omitted fromthe Detailed Description of the Invention.

As described above, the occurrence of an attack situation can bedetermined by observing the occurrence of alarms having identicalattributes. In other words, the occurrence of an attack situation can bedetermined by measuring the number of times that alarms having identicalattributes have been raised. Whether an attack situation has occurred isdetermined based on attack information having identical attributes andmeasured during a predetermined interval. In other words, detecting anattack situation is to determine whether the number of alarms havingidentical attributes and measured during a predetermined intervalexceeds a critical value. The predetermined interval indicates thelength of time for limiting valid alarms indicating intrusion detection.

FIG. 2 is a block diagram of an apparatus for detecting a network attacksituation according to an embodiment of the present invention. FIG. 7 isa flowchart illustrating a method of detecting a network attacksituation according to an embodiment of the present invention. Referringto FIG. 2, the apparatus includes an alarm receiver 210 receiving alarmsfrom network to detect a network attack situation with high efficiency,an alarm processor 220 processing the alarms and detecting an attacksituation, a hash memory 230 storing data needed for processing thealarms, a control memory 240 storing control data, and an externalinterface 250.

The alarm receiver 210 receives alarms from a network (S710), convertsthe alarm into alarm data, and transmits the alarm data to the alarmprocessor 220. The alarm processor 220 processes the alarm data anddetermines whether an attack situation has occurred using lookup andstoring functions of hash entries stored in the hash memory 230. Whenthe alarm processor 220 determines that an attack situation hasoccurred, it transmits the detected attack situation to the externalinterface 250.

The external interface 250 provides an interface function with theexternal apparatus needed to report the detected attack situation. Theexternal interface 250 also provides an interface function for controlfrom the external apparatus. Control information, such as criticalvalues, received from the external apparatus transmitted to the alarmprocessor 240. Then, the alarm processor 240 transmits the controlinformation to the control memory 240, which then stores the controlinformation.

FIG. 3 is a detailed block diagram of the alarm processor 220illustrated in FIG. 2. The alarm processor 220 includes an alarm bufferunit 310, an alarm-parsing unit 320, a hash engine unit 330, a detectionengine unit 340, and an interface control unit 350.

The alarm buffer unit 310 receives alarm data from the alarm receiver210. The alarm-parsing unit 320 receives alarms from the alarm bufferunit 310, extracts attributes of the alarms, creates data having theextracted attributes, and transmits the data to each of hash enginesincluded in the hash engine unit 330. The hash engine unit 330 generateshash entries having identical attributes through a hash lookup. If thehash lookup fails, the hash engine unit 330 generates a new hash entryand transmits the new hash entry to the detection engine unit 340.

The detection engine unit 340 receives hash entries of alarm data havingidentical attributes from the hash engine unit 330, determines whetherthe number of alarms exceeds a critical value based on the hash entries,and detects an attack situation based on the determination. Theinterface control unit 350 provides an interface with the externalinterface 250.

The alarm-parsing unit 320 extracts four attributes such as an attacktype, an attacker IP address, a target IP address, and a service typefrom alarm data received from the alarm buffer unit 310. Thealarm-parsing unit 320 determines to which group of attack situationsthe alarm data belongs based on the attributes as defined in the tableof FIG. 1 and transmits information regarding a determined group ofattack situation to the hash engine unit 330 (S720).

The hash engine unit 330 generates a hash key using the determined groupof attack situations received from the alarm-parsing unit 320 (S730) anddetermines whether the hash memory 230 includes hash entries havingidentical attributes. If hash entries having identical attributes arefound, the hash engine unit 330 transmits the hash entries to thedetection engine unit 330. If hash entries having identical attributesare not found, the hash engine unit 330 generates a new hash entry andtransmits the new hash entry to the detection engine unit 330.

In the present embodiment, the alarm-parsing unit 320 generates tengroups of attack situations (see FIG. 1). To process the ten groups ofattack situations with high efficiency, the hash engine unit 330includes ten parallel engines, i.e., zeroth through ninth hash engines.In other words, the ten parallel engines included in the hash engineunit 330 process the ten groups of attack situations, respectively(S740).

FIG. 4 illustrates a hash structure maintained in the hash memory 230controlled by the hash engine unit 330. The hash memory 230 includes anindex memory 410 and a data memory 420. The index memory 410 can beaccessed using a hash key. Since the index memory 410 may have the samehash key even if index entries 430 have different attributes, the indexentries 430 are maintained for respective indexes.

Each of the index entries 430 includes an effective bit indicatingwhether a corresponding index entry is effective and an address fieldindicating an address of a real data memory if the index entry iseffective. Entries included in the data memory 420 are addressed by theindex entries 430. Each of first through N^(th) entries includesattribute information such as the attack pattern, the attacker IPaddress, the target IP address and the service pattern, and counterinformation managed by the detection engine unit 340.

The detection engine unit 340 counts the number of alarms havingidentical attributes in a hash entry received from the hash engine unit330. The detection engine unit 340 also determines how many times thealarms have been raised within a valid time and whether the number oftimes that the alarms have been raised exceeds a critical value. If thenumber of times that the alarms have been raised exceeds the criticalvalue, the detection engine unit 340 detects it as an attack situationand notifies information regarding the detection of the attack situationto the interface control unit 350.

FIG. 5 illustrates an entry structure that the detection engine unit 330manages using hash entries. Such entries are managed for respectiveidentical attributes. In other words, each entry is managed for eachidentical attribute. Referring to FIG. 5, an LTT field 510 stores timeinformation generated by an alarm that is raised last among alarmshaving identical attributes. Zero^(th) through (N−1)^(th) SLOTs 530store counter information generated in each time slot and a SUM field520 indicates the sum of all slot counters.

FIG. 6 illustrates an algorithm of counting alarms having identicalattributes and determining whether the number of alarms exceeds acritical value using information of an entry structure as illustrated inFIG. 5. As described above, according to a mechanism of the presentinvention, such an analysis process is applied only to alarms occurredwithin a valid time. For the sake of high accuracy, a separate counteris prepared for each time unit and a slot counter is moved as time goesby.

Referring to the algorithm of FIG. 6, if the difference between anarrived time tick (ATT) and a last time tick (LTT) of last alarm datastored in a hash entry is greater than or equal to a window size (N), avalue of the LTT is replaced with a value of the ATT and a value of SLOTis reset to zero. In addition, the value of the SLOT, i.e., theremainder obtained by dividing the ATT value by N, is stored as one anda value of SUM is also stored as one.

When the ATT and LTT values are equal, the count of the SLOT indexed bythe LTT and the SUM are increased by one. If ATT−LTT is greater thanzero and smaller than N, a sum of counter values respectively generatedin a SLOT indexed by LTT+1 through a SLOT indexed by ATT−1 is subtractedfrom the SUM and the SLOT is reset to zero. The SLOT indexed by the ATTis stored as one and the value of the SUM is increased by one.

When the detection engine unit 340 completes counting the number ofalarms in the entry, it determines whether an attack situation hasoccurred based on whether the value of the SUM exceeds a critical value.The critical value can be set through the external interface 250.Setting information transmitted to the external interface 250 istransmitted again to the interface control unit 350, which then storesthe setting information in the control memory 240. Thus, data on acritical value used by the detection engine unit 340 is amended (S750).

The present invention can also be implemented as computer-readable codeon a computer-readable recording medium. The computer-readable recordingmedium is any data storage device that can store data which can bethereafter read by a computer system. Examples of the computer-readablerecording medium include read-only memory (ROM), random-access memory(RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storagedevices, and carrier waves (such as data transmission through theInternet).

The computer-readable recording medium can also be distributed overnetwork-coupled computer systems so that the computer-readable code isstored and executed in a distributed fashion.

A font-ROM data structure according to the present invention can also beimplemented as computer-readable code on a computer-readable recordingmedium such as ROMs, RAMs, CD-ROMs, magnetic tapes, hard disks, floppydisks, flash memories, and optical data storage devices.

As described above, according to an apparatus and method of detecting anetwork attack situation, equal numbers of hash engines and detectionengines for processing alarms in a network to the number of data groupsclassified as network attack situations are formed in a line. Therefore,a network attack situation can be detected in real time based on a greatnumber of alarms indicating intrusion detection.

While the present invention has been particularly shown and describedwith reference to exemplary embodiments thereof, it will be understoodby those of ordinary skill in the art that various changes in form anddetails may be made therein without departing from the spirit and scopeof the present invention as defined by the following claims.

1. An apparatus for detecting a network attack situation comprising: analarm receiver receiving a plurality of alarms raised in a network towhich the alarm receiver is connected, converting the alarms intopredetermined alarm data, and outputting the alarm data; an alarmprocessor analyzing an attack situation in the network based onattributes of the alarm data and a number of times that the alarm datais generated; a memory storing basic data needed to analyze the state ofthe network and providing the basic data to the alarm processor; and aninterface transmitting the result of the analysis by the alarm processorto an external device, receiving a predetermined critical value from theexternal device, which is a basis for determining the occurrence of theattack situation, and outputting the critical value to the alarmprocessor such that the alarm processor can store the critical value inthe memory.
 2. The apparatus of claim 1, wherein the alarm processorcomprises: an alarm parsing unit extracting attributes of the alarmsbased on the alarm data and generating at least one first datacharacterized by the attributes; a hash engine unit being equal to thenumber of the first data and generating a hash key based on the firstdata, and generating a plurality of hash entries having identicalattributes or generating a new hash entry if a lookup fails; a detectionengine unit receiving the hash entries, determining whether the criticalvalue is exceeded based on the hash entries, and corresponding to thehash engine unit one to one; and an interface control unittransmitting/receiving information regarding whether the critical valueis exceeded to/from the external device.
 3. The apparatus of claim 2,wherein the alarm parsing unit extracts such attributes as an attacktype, an attacker IP address, a target IP address, and a service typefrom the alarm data and generates the first data characterized by acombination of the extracted attributes.
 4. The apparatus of claim 1,wherein the memory comprises: a hash memory unit storing the hashentries; and a control memory unit storing control data including thecritical value.
 5. The apparatus of claim 4, wherein the hash memoryunit comprises an index memory accessed by the hash key and storing k (kis a positive integer) indexes having m (m is a positive integer) indexentries and a data memory addressed by the m index entries and storing n(n is a positive integer) entries containing predetermined attributeinformation and counter information, and is operated by the hash engineunit.
 6. The apparatus of claim 5, wherein the attribute informationcomprises the attack type, the attacker IP address, the target IPaddress, and the service type.
 7. The apparatus of claim 2, wherein thedetection engine unit counts the number of alarms having identicalattributes based on the hash entries received from the hash engine unit,calculates the number of times that the alarms have been raised within avalid time, and determines whether the number of alarms exceeds thecritical value. 8-12. (canceled)